Just a thought, but I believe the servicePrincipalName attribute value is only populated once a computer has been successfully joined to the domain. Could it be that the computer objects for which you have no SPN have never actually joined the domain?
Otherwise, I would tend to go with Joe's suggestion that the security has somehow been changed. On the problem machines, check to see whether SELF has "validated write to service principal name" set to "Allow". Tony -----Original Message----- Wrom: VCJVTLBXFGGMEPYOQKEDOTWFAOBUZXUWLS [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Montag, 12. Januar 2004 04:50 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] computer accounts created without serviceprincipalname joe wrote: > Do you have a disjoint name space or have you really tighted down your > security on those OUs? Joe, The security has not been tighted down too much. We have a limited number of people who can add machines to the OU. As for your other question - I'm assuming you mean DNS names. The machines that have had the problem have different roots. The DCs are dcX.b.c.fnal.gov where the regular servers and workstations are srvr1.fnal.gov and wks1.fnal.gov. We have a empty root - c.fnal.gov and users and computers reside in OUs that are in b.c.fnal.gov the puzzling part to me is that the problem is random. thanks for any light you can shine on this. al > joe > > > -----Original Message----- > Wrom: ZLKBRNVWWCUFPEGAUTFJMVRESKPNKMBIPB > [mailto:[EMAIL PROTECTED] On Behalf Of Al > Lilianstrom > Sent: Sunday, January 11, 2004 9:29 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] computer accounts created without > serviceprincipalname > > Hi, > > We have a w2k sp3 based domain and while troubleshooting a IIS problem > we noticed that the machine that was causing problems was only doing > NTLM authentication while the other servers the IIS server was serving > were using Kerberos authentication. We checked that our policies were > being applied properly - all ok. I talked with our local windows > security expert and he suggested checking for the existance of the > serviceprincipalname as if it wasn't there then the server would have > no way of doing Kerberos as it could not accept tickets. Checked the servers entry in AD and SPN was missing. > After it was put in manually everything started working properly. > > I check one OU and came up with a significant number of machines > without the SPN. Some were upgrades from NT, some were new installs. > I've been looking on Microsoft for an article on what might be wrong and have come up empty. > > Any ideas? > > al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
